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[57] ABSTRACT 

Apparatus and method for discouraging computer theft. The 
apparatus and method requires that a password or other 
unique information be supplied to the computer before the 
computer BIOS routines can be completely executed. A 

r cgn'ne^w M 5h^w0iaete ^ requirec? 
password entered by the user, or a known quantity read from 
an externally connected memory device is present. The 
security function stored within the BIOS memory also 
includes an administration function which permits the com- 
puter to be either placed in a locked state, thereby requiring 
password or the known quantity read from an externally 
connected memory device to be present each time the 
computer is booted up. The administration function also 
permits an unlock state which permits the computer boot up 
process to complete without entering any password or 
externally supplied quantity. The external memory location 
is consulted during each boot up sequence, to determine 
whether the computer has been placed in the locked or in the 
unlocked state. If the security depends upon the supply of 
the known quantity from an externally connected memory 
device, the computer will be inoperable to anyone not in 
possession of the external memory device. In the event that 
the external memory location bearing the locked or unlocked 
code is removed, the security function assumes the computer 
to be in the locked state, thus frustrating avoidance of the 
locked state by tampering with the external memory. 

16 Claims, 5 Drawing Sheets 
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APPARATUS AND METHOD FOR routine being disabled, disabling the boot up process. 

PREVENTING THEFT OF COMPUTER EEPROM flash devices may be programmed with BIOS 

DEVICES routines which permit the user to enter data without requir- 
ing the computer to be returned to the manufacture. The 

The present invention relates to the personal computer 5 present invention makes use of these new BIOS memory 

art. Specifically, an apparatus and method are provided devices for effecting security measures which discourage 

which discourages the theft of personal computer systems by theft, 
rendering them inoperable to an unauthorized user. 

The popularity of personal computing devices such as SUMMARY OF THE INVENTION 

notebook computers has resulted in an alarming increase in 10 ^ ( inventioD ^ for an apparatus and 

theft of these devices. Although it is common to provide metboi f 0I discouraging theft. The invention requires that a 

password protection for computers, it is possible to avoid the uger en(er a uni wQrd of number felated tQ me pirticuhr 

password protection by making some modified hardware uter each time the computer js powered U p. The 

changes to the stolen computer. In pnor art password pro- con ^ uler . R i Q s.memur.v .Co^s 1 or.mu ri hc>B10S,roulii 1 ^,ato 

teclion schemes, a password is stored in a CMOS RAM on 15 s^^^S^M a minimum, the securitv.routine 

the mother board of the personal computer. If power is re ^^^^^ oftatfass w^^h^^ 

removed from the computer mcludmg any backup battery ^^^ ^^g^^^^^d 

power supply, the CMOS RAM will eventually reset and nlcmo| dc '^ c . ^ 7 ecurit y IKion storld in the BIOS 

the protect™ of a stored password m the CMOS RAM is ~; y ^^J^^ m administration function which may 

' ost ' , . , . .... 20 be invoked by the user following the normal boot up 

Password protection may also be provided by a system ^ b m£ BIQS once me ofd of ^ 

which stores the required password on the computer hard ^ ; fc verifled ^ function may 

disfc At boot up time the password is retrieved from the be ^ tQ ^ ^ tef ^ ^ locked 

hard disk and compared with a manually entered password^ ^ which ^ s veriflcation each time the ter 

Password protection passwords stored on the computer hard 25 ejBCWM ^ mos rou{i or m the unlocked slale m which 

disk may be defeated however, if the disk is completely ^ tection fc b d each time the BI0S routines ut 

reformatted by a thief or lus customer. executed. The locked or unlocked state is programmed by 

The automobile industry has had to confront the theft of a code nti each state t0 an intemal m 

automobde radios with specific anti-theft circuits built into exeaUion of ^ BIQS routi me intemal ffl 

the automobile radio Theft protection circuitry incorporated 30 containin the ^ ^ read> and the func . 
in the automobile radio renders the automobile radio useless 
when it is removed from the vehicle. These measures have 
discouraged the traffic in stolen car radios, as the units are 

inoperable after the theft, and any attempts to have them In accordance with one embodiment of the invention 

repaired would likely reveal the theft. 35 whea the computer is m the locked state, the external 

The implementation of anti-theft measures in a personal memorv must operatwely connected to the co mputerea ch 

computer such as a notebook computer must be effective time th f computer is booted up. If^e-Wr«f«noves^he 

against the most technically sophisticated of thieves, but not external ™ry, or ina^ertently fageJs^attach>iMo the 

be so elaborate as to interfere with its normal use. The need oomgge^ complete execution 

for theft security measures must be measured against the 40 of the BIOS routmes - 

inconvenience to the authorized user who may need to In another embodiment of the invention, the locked state 

power up the computer device on a frequent basis at times requires the user to manually enter the password through the 

when protection against theft is not needed. In these keyboard in response to a prompt during execution of the 

circumstances, it is useful to have an anti-theft measure BIOS routine. The secuntvjtocUon»c ^ 

which may be deactivated at the option of the user once the 45 defined»passworfgsTole^imtfaedBl®^ 

user clearly establishes himself as authorized to deactivate supphe o^^ wQrd..Ilthet^o rr passwords?agree, the computer 

the anti-theft circuitry. Other problems which may result in compjete^xec^^ 

the use of these protection schemes include the inconve- In either embodiment, the computer may be unlocked by 

nience which results from the loss of a password by a user. accessing the administrative function once the computer has 

In these instances it may be necessary to resort to the 50 completed execution of the BIOS routines. In the unlocked 

manufacture of the device to determine what password state neither the external memory is necessary nor is the user 

should be used or to install a new password, representing an required to enter a password each time the system is booted 

obvious drawback for owners of these systems. up. 

Many computer manufacturers have implemented pass- 
word protection in the computer BIOS (Basic Input/Output 55 DESCRIPTION OF THE DRAWINGS 
System) which is integral to the operation of a personal piG t iUustrates the basic of a personal 
computer. The password protection in the BIOS halts the comput j ng sys tem. 

system boot up unless the user enters a password which is * . <• j i_ j- 

also stored in the foregoing CMOS RAM. As noted, if the FIG. 2 illustrates in accordance with a preferred embodi- 

power is removed from the CMOS RAM, the password is 60 ™* of invention a security key for preventing operation 

cleared and the system will boot up without requiring the of the P ersonal computer when it is disconnected from the 

user to enter the required password. computer. 

Recent changes in the computer BIOS memory storage FIG. 3 illustrates the organization of a memory 15 holding 

devices permit writing data to the BIOS memory, offering the BIOS routines as well as a security function for the 

the opportunity to provide password protection within the 65 computer. 

same memory which stores the BIOS routines. Thus, any FIG. 4 illustrates the organization of a CMOS RAM 17 

attempt to delete the protection will result in the BIOS which participates in the security function. 



tion is invoked, or not, depending on the value of the read 
code. 
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FIG. 5 illustrates the execution of the security routines by 
the preferred embodiment requiring the physical key to be 
connected to the computer. 

FIG. 6 illustrates the steps for creating BIOS routines 
which incorporates the security function. 

FIG. 7 illustrates the security routine within a BIOS 
memory in accordance with another embodiment of the 
invention. 

FIG. 8 illustrates the organization of the CMOS RAM 
17(a) in accordance with the second embodiment of the 
invention. 

FIG. 9 is a flow chart which illustrates the creation of a 
BIOS memory having the security function of the second 
embodiment of the invention. 

FIG. 10 illustrates the process executed by the security 
function according to the second embodiment. 

DESCRIPTION OF THE PREFERRED 
EMBODIMENT 

Referring now to FIG. 1, a general organization of a 
personal computer 10 is shown which includes a security 
function stored as a programming routine within the BIOS 
EEPROM 15. As will be evident with respect to the descrip- 
tion of this embodiment, the BIOS routines which provide 
for the basic input/output system cannot be completely 
executed unless the security function is successfully 
executed. 

As will be understood by those familiar with the archi- 
tecture of a personal computer, a CPU 14, a CMOS RAM 
17, and the BIOS memory is supported on a mother board 
which permits upgrades to be made to the system. A serial 
port 16 permits the computer 10 to communicate with 
externally connected devices. A monitor 11 and keyboard 13 
provide a user interface with the personal computer 10. 

In accordance with the preferred embodiment of the 
present invention, a memory device such as a detachable 
read only memory (ROM), 19 shown in FIG. 2 having nine 
pin connector 20 may be detachably connected to the serial 
port 16. The detachable ROM 19 of FIG. 2 serves as a key 
which contains information necessary to permit the BIOS 
routine stored within BIOS memory 15 to complete execu- 
tion. The BIOS routines perform various functions, such as 
power-on self tests (POST), peripheral routines, boot codes, 
etc., for initially loading the computer operating system 
software from a hard disk memory, or from floppy disk 
associated with the computer 10. The key has a small form 
factor permitting it to be carried separately by the user on a 
key chain. Thus, if the computer 10 is stolen, the key is not 
stolen with it. 

FIG. 3 illustrates the organization of the BIOS memory 15 
which may be a flash EEPROM containing the various 
executable BIOS routines as well as routines for implement- 
ing a security function. Inclusion of routines for executing a 
security function 25 with the BIOS routines is particularly 
useful in preventing a thief from bypassing security mea- 
sures which might have been implemented on the hard drive, 
or in an application program, or which previously made use 
of the CMOS RAM 17. Unless the BIOS routine has 
completely executed, the computer operating system can 
never be accessed rendering the computer inoperative. 

The contents of the BIOS memory 15 are illustrated in 
FIG. 3, including the POST (power-on self test) routine 23, 
the boot code 22 for loading the computer operating system 
in RAM, and routine 21 for configuring peripheral devices 
connected to computer 10. 
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The security routines 25 within the BIOS memory require 
a user to follow a specific procedure which identify the user 
as an authorized user. If the user is not verified as authorized, 
the BIOS routines will not be completely executed, render- 

5 ing the computer inoperative. 

The EEPROM of FIG. 3 which serves as the BIOS 
memory 15 includes a first unique, one of a kind, computer 
ID 28 established by the computer manufacturers, and a 
public decryption key 29. As will be evident during the 

10 description of the installation stage, the security key of FIG. 
2 stores a unique serial number in ROM 19 as well as an 
encrypted value of the product of the key serial number and 
the computer's I.D. During execution of the security 
function, the contents of key ROM 19 are read. The 

15 encrypted quantity is decrypted, and compared with a prod- 
uct formed from the serial number read from ROM 19 and 
the stored computer I.D. 28 stored in the BIOS memory 15. 
If these quantities match, the BIOS routine continues execu- 
tion. 

20 Two keys may be provided, and in the event one key is 
mislaid, the other key permits access to the administrative 
function which can unlock the computer permitting opera- 
tion of the computer. The stored public key 29 is provided 
at the time the BIOS EEPROM is configured, which permit 

25 decoding of encrypted values stored within the keys. Either 
of these keys may be used to gain access to the administra- 
tion function should one key be lost or unavailable. 
FIG. 4 illustrates the CMOS RAM 17 which is common 

30 to the personal computer architecture. The CMOS RAM 17 
includes Drive Configuration Routines 31 and POST Con- 
figuration Routines 32. CMOS RAM 17 has a memory 
location 30 which when empty, represents a locked state for 
the computer. If the computer is in the unlocked mode, the 

35 memory location 30 is written with a non zero unlocking 
code. Once the computer has been set via the administration 
mode of the security function 25, to be in the locked state, 
the contents of memory location 30 will be set to 00. 
Consequently, if the CMOS RAM 17 is removed by a thief, 

40 or otherwise erased, the computer remains in the locked 
state, inhibiting completion of the BIOS routine execution. 

During the execution of the normal BIOS routines within 
the BIOS memory 15 of FIG. 3, the contents of memory 
location 30 are checked and if the contents of memory 

45 location 30 of the CMOS RAM 17 indicate a locked 
condition, the POST routine 23 will stop execution before 
the BOOT routine 22 can be executed, and enter the security 
routine 25. Once in the security 25 routine, the security 
routine attempts to read the contents of the security key 

50 ROM 19 connected to the serial port 16. If security key 19 
is connected to serial port 16, the unique key serial number 
and encrypted product M are read. The security function 
forms a product of the read serial number and the computer 
I.D. 28 stored in BIOS EEPROM 15. The security function 

55 25 decrypts the second encrypted value M read from secu- 
rity key 19, and compares it with the computed product. If 
a match is produced by the comparison, the computer goes 
on to execute the BOOT codes 22 and peripheral routines 21. 
The administration function of the security routine 25 

60 permits the user to place the machine either in an unlocked 
state or a locked state. In the unlocked state, the BIOS POST 
routine 23 skips the security function and executes the 
BOOT code 22 and peripheral routines 21. If the computer 
is in the locked mode as previously described, the BIOS 

65 routine execution is halted during execution unless the 
appropriate security key ROM 19 is connected to the serial 
port 16. 
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The advantage of the foregoing system is readily appar- TION MODE. The user enters the administration mode in 

ent. If the user is concerned about theft, he configures the step 56 and is given submenu choices for either entering the 

machined to be in the locked mode, thereby inhibiting locked state, had the computer been previously unlocked, or 

operation unless his personal security key including ROM entering the unlocked state had the computer been previ- 

19 is connected to the serial port 16. While the computer 10 5 ously locked. The locked state is entered in step 58 which 

is unattended, the user may remove the security key. If the ™% c m * g £ ^T*™^ 0 ? l °i l °^° n ^ 

device of computer 10 is stolen while in the locked mode, a CM °f RAM 00 f a d ' fa f Value ' and m lh * 

subsequent user will not be able to activate the computer 10 f^^V T 15 re P laced ° r ^71 t'T 

r •§ * *i_ • *.i a •* i • therefrom, the computer remains in the locked state. Thus, 

of FIG. 1 without the unique secunty key A security key is ^ ^ ^ & ^ 

only useful for accessing one computer 10, and the acqui- 10 ^ q^qS RAM 17 

sition of another security key with another serial number or ^ uQlocked ^ fflay ^ entered th ^ 

encrypted value will not enable the thief to operate the mode fey {a s , ep 59 ^ feature In 

computer 10. this mode of operat i on) 

a non-zero unlock code is written in 

Since the CMOS RAM memory location 30 was config- s t e p 60 to memory location 30 of the CMOS RAM 17. In 

ured so that a zero entry within the CMOS RAM location 30 15 this event, each time the computer attempts a boot up 

constitutes the locked mode, replacing the CMOS RAM or sequence, memory location 30 will be checked in step 43 

disabling power to it will only place it in the locked mode, and if it contains the unlock code, decision block 44 will 

and execution of the BIOS routine is therefore effectively direct execution to execute the boot code in step 53, skipping 

inhibited rendering computer 10 of nearly worthless value to the security function. 

a thief, discouraging future thefts. 20 The process of creating the security function as part of the 

FIG. 5 illustrates the step-by-step process for executing contents of the BIOS memory is illustrated in FIG. 6. The 

the security function 25 as well as locking and unlocking the process begins with a selection of a private/public key 

computer in accordance with the preferred embodiment. In combination in step 65. The private/public keys will be used 

step 40 the user attaches the key containing the ROM 19 to to encrypt a quantity which represents the product of a serial 

the serial port 16 of the computer. The computer is rebooted 25 number for the key as well as the computer I.D. for the 

in step 41 through a software reboot command. particular computer for which the key operates. The BIOS 

Any subsequent operation of the computer requiring the memory is prepared by storing within it, the routines illus- 

computer to be rebooted can only occur after the user trated in FIG. 3 including the POST Routine, security 

attaches the key having ROM 19 to serial port 16 as shown function routines, boot codes, and the peripheral routines, 

in step 40 unless the user enters the unlocked state. After Further, the BIOS memory is loaded with the computer I.D. 

completing the POST routine 42, the BIOS routine examines number for which it is to be installed, as well as the public 

the contents of CMOS RAM 17 in step 43, and enters the key derived in step 65. 

security routine 25 if the computer 10 was not previously set Once the routines are loaded for effecting the functions of 

in the unlocked state as is determined in decision block 44. 35 FIG. 4, the BIOS memory is installed in the mother board of 

The computer will be in the lock state if it has not the computer 10 in step 67. 

previously been specifically set in the unlocked state. If the A key is selected in step 68 for programming with the 

external ROM 19 is not connected as determined in decision information which is related specifically to the computer 10. 

45, a message is posted to the user "CONNECT KEY". The The key includes the ROM 19 which is written in step 69 

security routines are executed in step 46, by first reading the 40 with a serial number unique to that key, if the serial number 

contents of the ROM of the key 19 attached to serial port 16. was not included at the time of the ROM manufacture, as 

The ROM contains two values, an unencrypted serial num- well as an encrypted value M which is equal to the product 

ber unique to the key, and an encrypted value M which of the computer's I.D. and the serial number assigned to the 

represents the product of the serial number of the key and the key. 

computer I.D. number. A decryption subroutine is entered in 45 A central log is maintained in step 70 of each key serial 

step 48, which using the public key 29 stored within the number and the respective computer I.D. which has been 

BIOS memory 15, decrypts the value of the product M. The part of the encrypted value stored within the key. 

security routines then reads, in step 49, the computer I.D. in this way, in the event the user looses his key, he can 

from location 28 of the BIOS memory 15. A product is obtain another one from the manufacturer by reporting his 

calculated in step 50, between the read serial number from 50 computer I.D. to the manufacturer. The manufacturer using 

the attached key 19, and the computer I.D. 28 obtained from the master list can identify the serial number of the key and 

the BIOS memory 15. create, using the private key, a new key for shipment to the 

The two products are compared in decision block 51 and user, 

if a match occurs, then the user has been verified as The encryption process is done in a tamper proof facility, 

possessing the connect key and is authorized to use the 55 In this way, the manufacturer maintains absolute control 

computer. The remaining boot code is executed in steps 53 over who may obtain the information which would be useful 

and the peripheral routines are executed in step 54. This in creating counterfeit keys which could be used to defeat 

represents the completion of the BIOS routine execution, the security function in a stolen computer, 

permitting the user to operate the computer in the normal The system also provides additional security in that only 

way. In the event the comparison is not obtained in decision 60 the manufacturer knows the private key so that even with 

block 51, the boot up process is stopped in step 52 inhibiting knowledge of the serial number of the key and computer 

any further use of the computer. I.D., it is not possible to create a counterfeit key. Further, 

In those circumstances where the user believes theft to be different manufacturers can use different private/public key 

of minimal risk, and wishes to unlock the computer so that pairs, making it possible for the same BIOS code to be used 

the security key is unnecessary, the user may enter the 65 in each computer. Each manufacturer would not be able to 

administration mode. First, the user enters a setup mode in generate encrypted values M for another manufacturer's 

step 55, which includes a menu selection ADMINISTRA- computer as the encryption public/private key pair is private. 
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Computer manufacturers may include a warning on each BIOS EEPROM 15(a), the user cannot return to the security 
of the computers, that the computer is equipped with a administration mode unless he enters the appropriate pass- 
anti-theft protection, discouraging theft of a computer which word. The computer therefore cannot be unlocked without 
could not be operated by its subsequent owner. entering the password. 

A variation of the foregoing technique would permit each 5 Along with the first and second user entered passwords 
computer user to create his own keys. In this instance, each stored in the BIOS EEPROM 15A, an encrypted computer 
computer would be sold with a private/public key pair. The serial number is provided by the manufacturer of the corn- 
public key would be installed in the BIOS as described, the puter. The computer serial number will act as an emergency 
private key given to the customer along with a utility file password, which in the event of the lost of the first and 
which permits the generation of additional keys. In this case, 10 second passwords, permits the user to enter the administra- 
each customer has his own unique private/public key pair tive function. The actual computer serial number is not 
and may configure as many keys as needed to enable as disclosed to the user, instead a public key encrypted value of 
many authorized users to operate the system. the computer serial number is supplied to the user. The 

A variation of the foregoing embodiment may be imple- Public key with the BIOS EEPROM 15(a) decrypts the 
ment when it is undesirable to provide a separate hardware 15 encrypted value provided to the user, permitting its corn- 
key for blocking the computer, and instead, relies upon a parison with the actual serial number stored in a memory 
user entered password for protection. FIG. 7 illustrates the location of the BIOS EEPROM 15(a). 
configuration of the BIOS EEPROM 15(a) in a system FIG. 9 illustrates the process for preparing the security 
which relies on a user entered password instead of an function for storage in the BIOS EEPROM 15(a). A secure 
externally connected key to enable complete execution of 20 encryption system such as PKCS or DSS is selected in step 
the BIOS routines. First and second passwords are entered 91 from which a private and public key pair is created in step 
in place of a key serial number by the user during an initial 92. The BIOS routine is compiled in step 93, with the 
installation to locations 28(a) and 28(6) which may be security function. The BIOS routines are configured to 
written. Two other memory locations within the BIOS operate, and invoke the security function if the CMOS RAM 
EEPROM 15(a) include a serial number or I.D. number 25 17(a) stores in location 30(a) a locked state code. 
33(a) for the computer 10 as well as a public key 29(a) Additionally, an administration function which will be evi- 
which is used to decrypt passwords entered by a user. As in dent from the succeeding figures is incorporated within the 
the previous embodiment, CMOS RAM 17(a) of FIG. 8 BIOS EEPROM for permitting password registration and/or 
contains the usual drive configuration data 31(a) and port changes, as well as selecting a locked or unlocked mode of 
configuration data 32(a). Further a location 30(a) is reserved 30 operation. The computer serial number is stored within the 
in the CMOS RAM 17(a) to indicate whether the computer BIOS EEPROM memory 15A in its unencrypted state. The 
is in a locked state, requiring entry of one of the passwords, BIOS code and public key is loaded in the BIOS EEPROM 
or whether the computer is in an unlocked state in which in step 94. The BIOS EEPROM 15(a) is then installed in the 
case the BIOS routine bypasses the security function and computer 10 mother board. 

boots up the computer in the normal way. The computer serial number is also read from the 

The CMOS RAM 17(a) is configured so that in a default computer, and a digital signature of the serial number is 

state i.e., when the CMOS RAM 17(a) is cleared by remov- created in step 97. The digital signature is printed and sent 

ing the battery, or replacing it, the computer is in the locked along to the user permitting in the case of the loss of cither 

state. Only when an UNLOCKED code is written to the 4Q password, entry to the administrative mode in lieu of use of 

CMOS RAM location 30(a) will the BIOS routine complete the password. 

execution without requiring a password. As in the previous fig. 10 illustrates, in flow chart form, execution of the 

embodiment there is an administration mode, to permit the BIOS routines including the security function. At the user 

user to switch between a locked and unlocked state. s it e , the user first executes a boot up command in step 101 

Additionally, the administrative mode permits the user to 45 f or entering one or two passwords which he will use. The 

change passwords, as well as effecting an emergency opera- POST Routine is executed in step 102. As no passwords 

tion when the password is lost or forgotten. exists within the BIOS EEPROM memory 15(a) as deter- 

F1G. 9 illustrates the process for storing a password as mined in 103, the boot up process completes by executing 
well as exercising the locking option for locking or unlock- the remaining BIOS routines in step 104. Following comple- 
ing the computer. The computer in the locked state requires 50 tion of the boot up process the user may enter a SETUP 
the user to enter his password each time a boot up sequence mode 105 common to operating system configurations. The 
is started. The security function is implemented in the BIOS security administration mode 106 is selected by the user 
routines, such that if a password has been previously entered from the SETUP mode menu, which includes several sub- 
in memory, and the user has placed the computer in the menu items. If the setup mode is not selected, the boot up 
locked state, a prompt will come up during the execution of 55 ends in step 106. The new PASSWORD menu item is 
the BIOS routines requesting the user to enter his password. selected by the user in step 107 from the administration 
If the password is correctly entered, and the BIOS security function 106. The user may enter one or two passwords in 
function verifies that the entered password is equal to the step 108 and the security function routine will store the 
stored password, execution of the BIOS routines continues password in step 109 in the BIOS EEPROM memory 15(a). 
and the computer is rendered in an operative condition. 60 This feature also permits new passwords to be entered in 

A security administration mode associated with the secu- P^ce of any two previously entered passwords, 

rity function permits the user to register two valid If a single password has been entered into the BIOS 

passwords, and then to place the computer in either a locked EEPROM 15A, a subsequent boot up and selection of the 

state or unlocked state. In placing the computer in the security administration mode will require use of the single 

unlocked state, the user must return to the security admin- 65 password. An additional password may be entered into the 

istration mode and select either the locked or unlocked state. system by the first user, from the same menu selection from 

Once one password has been registered and stored within the the security administration mode. 
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If the user wishes to lock or unlock the computer and enter 
the SETUP mode in step 105, he enters the security admin- 
istration mode in step 106 again. One of the menu items 
provided in the security administration mode is a lock state 
112, as well as an unlock state 113. By selecting the lock 
state 112 each subsequent boot up of the computer 10 will 
request a password verification from the user. The selection 
of the lock state clears the memory location 30(a) of the 
CMOS RAM 17(a). The BIOS routine will therefore 
encounter the default value in location 30(a) during each 
subsequent execution in step 115 and decision block 116 will 
require that the BIOS function execute the security function. 

Execution of the security function in step 118 will gen- 
erate a prompt to enter the password in step 119. The user 
enters a password which is verified in decision block 120 by 
the security function and the boot up process completes 
execution in step 104. 

The computer 10 may be unlocked by returning to the 
security administration mode and selecting the appropriate 
unlock submenu item 113. Selecting the unlocked state will 
write a unlock code at location 30(a) of the CMOS RAM 
17(a) in step 123. Subsequent boot up processes will check 
the contents of location 30(a) of CMOS RAM 17(a) in 
decision block 116 and skip the security function. 

The embodiment provides an emergency mode such that 
the user can enter the administration mode without entering 
either one of the user selected passwords, if he had access to 
the digital signature supplied with the computer. The user, 
instead of entering a password, enters the encrypted signa- 
ture supplied to him in step 119. The public key stored 
within the BIOS memory ISA decrypts the entered digital 
signature, to a value equal to the computer serial number. 
This signature is verified by the BIOS security function in 
decision block 124, by comparing it to the computer serial 
number stored within the BIOS EEPROM 15A. The admin- 
istration mode may then be entered in step 106 which 
provides for a menu selection of either selecting a new 
password. Entry and storage of the new password are 
effected as in the original password registration. 

If the decrypted signature and stored computer serial 
number do not match, execution steps in step 125, and a 
message is displayed in step 126 "INCORRECT PASS- 
WORD". 

In the event a user looses both passwords and digital 
signatures, it is possible for the manufacturer to clear 
passwords from the BIOS permitting the security to be 
reestablished. Additionally, it is possible to have a user 
phone in the computer serial number, at which point a digital 
signature is created and supplied to the user. 

Obviously, the disclosure to the user of the digital signa- 
ture or any cooperation in removing the passwords will 
depend on a user establishing his authority, thus avoiding 
any cooperation with a thief or his purchaser. 

Thus there has been described with respect to embodi- 
ments a method for providing computer security through the 
BIOS function. Those skilled in the art will recognize yet 
other embodiments of the invention identified by the claims 
which follow. 

What is claimed is: 

1. An apparatus for preventing theft of a personal com- 
puter comprising: 
a personal computer having a processing unit having a 

BIOS routine stored in a BIOS memory, which initiates 

operation of an operating system of said computer, said 

BI O^^jutine^dudm g j a«s ^urt 

reauestSMamUnioue^naaiu^Y^^ 
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form the function of checking the contents of a random 
access memory within said computer to determine if 
the security function is on or off, requesting a user to 
enter a said unique quantity if said security function is 
on, comparing said quantity with a quantity previously 
stored in said BIOS memory, and enabling said BIOS 
to continue execution to invoke said operating system 
if said quantities match, wherein said security function 
includes a series of programming steps which provide 
an administration function, said administration func- 
tion providing a lock function by programming said 
random access memory with a lock code at the request 
of a user which requires entry of said unique quantity 
each time said computer is operated, or an unlock 
function for programming said random access memory 
with an unlock code at the request of the user which 
does not require the entry of a user supplied quantity for 
subsequent operation. 

2. The apparatus according to claim 1 wherein said 
security function includes stored in said BIOS memory a 
stored serial number, and which includes a series of pro- 
gramming steps which verify if a user supplied quantity is 
equivalent to said serial number. 

3. The apparatus according to claim 2 wherein said 
administration function includes a series of computing steps 
which permit a user to change said quantity stored in said 
BIOS memory following entry of a previously entered 
quantity. 

4. The apparatus according to claim 1 wherein said 
random access memory is a battery operated random access 
memory. 

5. A method for protecting a computer from unauthorized 
use by storing in a BIOS memory containing BIOS instruc- 
tions a security function which is capable of inhibiting 
operation of said computer, said security function compris- 
ing the following programming steps: 

checking the contents of an internal random access 
memory for a locked state command to see if said 
computer was previously placed in a locked state; 

if said computer is in the locked state, requesting said user 
to enter a password; 

comparing said password with a password previously 
entered into said BIOS memory; and 

inhibiting execution of said BIOS instructions if said 
passwords do not agree. 

6. The method according to claim 5 further comprising 
storing a programming routine in said BIOS memory which 
permits a user to place the computer in an unlocked state 
following verification that said passwords agree. 

7. The method according to claim 5 wherein said pro- 
gramming step for placing said computer in an unlocked 
state deletes from said internal memory said locked state 
command. 

8. A method for inhibiting access to a personal computer 
device comprising: 

storing within a BIOS memory having BIOS instructions 
for executing a boot up sequence, a public key as well 
as instructions to inhibit execution of a portion of said 
sequence of said instructions until a users authority is 
validated; 

storing a unique code identifying said computer device 

into said BIOS memory; 
calculating a digital signature from said unique code; 
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at boot up time for said personal computer, prompting a 

user to enter a password; 
entering said digital signature in lieu of a password; 
verifying said digital signature from said stored public 

key and said unique code thereby validating said users 

authority; and 

entering an administration mode which permits said user 
to enter a personal password into said BIOS memory 
for future use and to continue said boot up sequence by 
said computer. 

9. The method according to claim 8 wherein said BIOS 
instructions request said user to enter said user password 
during future execution of said instructions to boot up said 
computer, and inhibits said boot up sequence if said user 
does not enter said password. 

10. The method according to claim 9 wherein said admin- 
istration mode permits selection of a locking state by said 
user which inhibits completion of each subsequent boot up 
sequence unless a user password is entered each time said 
boot up instructions are executed. 

11. The method according to claim 10 wherein said 
locking state is effected by writing a locking code to an 
internal memory which is read each time a subsequent 
execution sequence of BIOS instructions occurs, and said 
BIOS instructions continuing execution only if said user 
enters a valid password. 

12. The method according to claim 11 wherein said user 
is given an option by said administration mode following 
verification of said entered password to exit said locking 
state. 

13. The method according to claim 12 wherein said BIOS 
instructions exit said locking state by deleting said locking 
code from said internal memory. 

14. An anti theft protection device for a personal computer 
comprising: 



2,906 
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a programmable memory within said computer for storing 
BIOS routines for booting up said computer as well as 
a security routine having unique security information 
which communicates with an internal memory and an 

5 externally connected device having unique information 
contained therein; 
a detachable external memory device containing said 
unique information which is used by said security 
routine to enable execution of said BIOS routine when 
said unique security information matches said unique 
information when said internal memory includes a 
locking code, whereby said BIOS routine can only be 
completely executed if said external memory device is 

!5 in communication with said computer; 

wherein said security routine include an Administration 
function which permits said user to enter a command to 
unlock said computer from a locked state whereby said 
BIOS routines may be subsequently executed in the 

20 absence of said external device; and 

wherein said administration function unlocks said com- 
puter from a locked state by inserting unlocking data in 
a specified location in said internal memory of said 

25 computer, and said BIOS routines reads said location 
each time said computer is activated, permitting execu- 
tion of said BIOS routines if said unlocking data is 
present in said internal memory. 

15. The anti-theft device according to claim 13 wherein 
30 during execution of said BIOS routines, said security func- 
tion prompts a user to connect said external memory device 
to said computer if said computer is in the locked state. 

16. The device according to claim 14 wherein said inter- 
nal memory is a battery operated random access memory. 

***** 
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